Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-66548

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1.

Published

2025-12-05T18:15:57.967

Last Modified

2025-12-09T19:01:55.210

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 3.3 (LOW)

Weaknesses

Type: Secondary
CWE-116

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	deck	< 1.12.7	Yes
Application	nextcloud	deck	< 1.14.4	Yes
Application	nextcloud	deck	< 1.15.1	Yes

References

https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a Patch ([email protected])
https://github.com/nextcloud/deck/pull/6671 Issue Tracking ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6 Patch, Vendor Advisory ([email protected])
https://hackerone.com/reports/2326618 Permissions Required, Vendor Advisory ([email protected])